CVE-2026-23573
FortiOS Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-23573 is a Cross-Site Scripting (XSS) vulnerability in Fortinet's SSL-VPN Agentless component affecting FortiOS, FortiProxy, and FortiPAM. It was disclosed on July 14, 2026, via Fortinet's PSIRT advisory (FG-IR-26-150). Affected versions include FortiOS 7.6.0–7.6.6, FortiOS 7.4 and 7.2 (all versions), FortiPAM 1.0–1.8.0, and FortiProxy 7.4.0–7.4.3 and 7.2.0–7.2.9. The vulnerability carries a CVSS v3.1 base score of 6.1 (Medium) and was reported to Fortinet by the UK's National Cyber Security Centre (NCSC) under responsible disclosure (FortiGuard Advisory).

Técnicas

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting) and resides specifically in the Agentless SSL-VPN component of the affected Fortinet products. An authenticated remote attacker can send crafted HTTP requests that inject malicious scripts into web pages generated by the SSL-VPN interface, potentially leading to code or command execution in the context of a victim's browser session. Exploitation requires user interaction (e.g., a victim clicking a malicious link or visiting a crafted page), and the vulnerability only has impact when the Agentless SSL-VPN feature is enabled (FortiGuard Advisory).

Impacto

Successful exploitation allows an authenticated attacker to execute arbitrary code or commands in the context of another user's browser session via reflected XSS, resulting in low confidentiality and integrity impacts with no direct availability impact. The scope is changed (S:C), meaning the attack can affect resources beyond the vulnerable component itself, such as session tokens or credentials of other authenticated users. If the Agentless SSL-VPN feature is not enabled, there is no impact (FortiGuard Advisory).

Pasos de explotación

  1. Identify target: Confirm the target Fortinet device (FortiOS, FortiProxy, or FortiPAM) is running a vulnerable version with the Agentless SSL-VPN feature enabled and accessible over the network.
  2. Authenticate: Obtain valid credentials for the target system, as exploitation requires an authenticated session.
  3. Craft malicious request: Construct an HTTP request containing a malicious XSS payload targeting the SSL-VPN web page generation component (e.g., injecting a <script> tag or event handler into a vulnerable input parameter processed by the Agentless SSL-VPN interface).
  4. Deliver payload: Trick a victim user (e.g., an administrator) into clicking a crafted link or visiting a page that triggers the reflected XSS payload in their browser session.
  5. Achieve objective: The injected script executes in the victim's browser context, potentially stealing session cookies, credentials, or performing actions on behalf of the victim user (FortiGuard Advisory).

Indicadores de compromiso

  • Network: Unusual HTTP requests to SSL-VPN endpoints containing encoded or obfuscated script tags (e.g., <script>, javascript:, onerror=, onload=) in query parameters or form fields; unexpected outbound connections from client browsers to unknown external hosts after interacting with the SSL-VPN portal.
  • Logs: Web server or FortiOS access logs showing requests to Agentless SSL-VPN URLs with anomalous parameter values containing HTML/JavaScript injection patterns; repeated requests from a single authenticated user with varying payloads.
  • File System: No specific file artifacts expected for reflected XSS; however, monitor for unexpected configuration changes or new administrative accounts created following a successful session hijack.
  • Process/Session: Unexpected administrative actions (configuration changes, new user creation) performed under legitimate user accounts that may indicate session hijacking following XSS exploitation (FortiGuard Advisory).

Mitigación y soluciones alternativas

Fortinet has released patched versions: FortiOS 7.6.7 or above (for 7.6.x users), FortiPAM 1.8.1 or above (for 1.8.0 users), FortiProxy 7.4.4 or above (for 7.4.x users), and FortiProxy 7.2.10 or above (for 7.2.x users). Users on FortiOS 7.4 or 7.2 (all versions) and FortiPAM versions prior to 1.8 should migrate to a fixed release. As a workaround, disabling the Agentless SSL-VPN feature entirely eliminates the attack surface, as the vulnerability only affects this specific component. A virtual patch named FG-VD-60129.0day is also available in FMWP database update 26.021 for environments that cannot immediately upgrade (FortiGuard Advisory).

Reacciones de la comunidad

The vulnerability was reported to Fortinet by the UK's National Cyber Security Centre (NCSC) under responsible disclosure, indicating coordinated handling prior to public release. Security news outlets such as CyberSecurityNews covered the disclosure as part of a broader Fortinet patch release addressing seven vulnerabilities across FortiOS, FortiProxy, FortiPAM, and FortiSandbox (CyberSecurityNews). No significant independent researcher commentary or social media controversy has been observed at this time.

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado FortiOS Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-59837MEDIUM6.6
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NoJul 14, 2026
CVE-2026-23573MEDIUM6.1
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoJul 14, 2026
CVE-2026-59839MEDIUM5.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoJul 14, 2026
CVE-2026-59840MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoJul 14, 2026
CVE-2025-62826MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoJul 14, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades